Army, DOD IG disagree over mobile device management

Army officials have taken issue with a recent Defense Department Inspector General report that found the Army is deficient in tracking, configuring and managing its commercial devices.

The DOD IG report was released March 26 but then was pulled from the agency's website with no explanation; a spokesperson there declined to comment. The report was re-posted on April 4 with new detailed comments from a representative from the Army CIO/G-6 office. (Read the report.)

The inspector sought to determine whether the Army has an effective cybersecurity program surrounding the service's use of commercial mobile devices (CMDs). According to the report, the answer was no – and as a result, Army networks are more vulnerable to cybersecurity attacks and data leaks.

"Specifically, the Army CIO did not appropriately track CMDs and was unaware of more than 14,000 CMDs used throughout the Army," Alice Carey, assistant inspector general for readiness, operations and support, wrote in her findings.

Additionally, the Army also failed to ensure its commands properly configured devices to store protected information and to use a mobile device management application to do so. The service also lacks requirements for properly sanitizing devices and controlling their use as removable media, and for training and use agreements specifically for CMDs, the report stated.

"The Army CIO should develop clear and comprehensive policy to include requirements for reporting and tracking all CMDs," Carey wrote, noting that policy should include mobile pilots. "In addition, the Army CIO should extend existing information assurance requirements to the use of all CMDs."

While an Army CIO cybersecurity directorate wrote that the office's leadership agrees with some of the report's recommendations, he also defended existing Army policies.

In the written response included in the DOD IG report, Maj. Gen. Stuart Dyer, director of the Army CIO/G-6 cybersecurity directorate and senior information assurance officer, pointed to policies already in place to secure devices as well as ongoing plans to transition some management responsibilities to the Defense Information Systems Agency.

Dyer emphasized that Army CIO/G-6 Lt. Gen. Susan Lawrence in November 2011 signed a memorandum directing Army organizations to register each mobile pilot. He also noted that the Army cybersecurity directorate runs a SharePoint portal where Army components must register mobile pilots and provide project information.

"The registration process ensures that sensitive information and personal identifiable information is not allowed and the platform cannot connect to the Army e-mail system. On 3 April 2012 the Secretary of the Army signed a memorandum titled 'Mobile Computing Devices' and stated no unauthorized CMDs will be connected to the NIPRNet or used to conduct official business," Dyer wrote. "In summary, no CMDs are currently allowed for Army use outside of authorized pilots and policy and guidance has been promulgated."

Dyer also wrote that his office would extend information assurance requirements to CMDs, but it would not establish CMDs as a separate or stand-alone information system as the report suggests.

According to the DOD IG, those efforts are inadequate.

With the final version of the DOD IG report now published, the Army CIO/G-6 office is putting together additional response, an Army official said.

"Security of the commercial mobile devices that connect us to our network is a very high priority for the Army," said Margaret McBride, Army CIO/G-6 spokeswoman. "The CIO/G-6 is working with the DOD IG's office to prepare a response to their final report's finding."

FCW investigated efforts by the departments of Defense and Veterans Affairs to improve a joint data repository on military and veteran suicides. Something as impersonal and mundane as incomplete datasets could be exacerbating a national tragedy.

The National Information Exchange Model's usefulness extends far beyond its origins in justice and law enforcement.

Reader comments

Mon, Apr 8, 2013
Jack

Huge Kudos to Army IG! Paper tiger policies are worthless without the ability to monitor and enforce. Great job and thanks for sticking to your guns. A great article on doing commercial and BYOD right is here: http://gcn.com/articles/2013/03/29/byod-getting-it-right-the-first-time.aspx

Mon, Apr 8, 2013
Beltway Billy

This is easily solved. The DoD has offered free antivirus & CAC-in software for years. They could just as easily extend the contract with McAfee or Symantec or XYZ to also provide free, easy, default mobile device management and security for all Army users (GFE and personal devices). Right now hundreds of pilots all have these little stovepipe MDMs. This service would be the required-minumum for GFE devices w/o senstive info. Improved services would be required if you want to do sensitve stuff. Easy solution, just buy it and advertise it.

Mon, Apr 8, 2013
Beltway Bill
yes I said do do

One minor clarification wrt email. Pretty much any device (virii ridden home gaming PC, locked down iPhone, govt laptop, etc.) can CAC-into many DoD Outlook Web Access (OWA) sites, AKOP/DKO, and other sites. Thus you can indeed do, and many do do, email on CMDs.

Mon, Apr 8, 2013
Government emp

In my work with Government Financial accounting, whenever there was an audit, we had opportunities to question and discuss the findings before posting. No one could 'pull' the original report after posting. We could only respond.
Interesting that this was pulled. Was it because the IG felt the process or report wasn't accurate or was there pressure from outside for more favorable findings?

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.